Merge pull request 'feat(branch-protection): enable actions bot whitelist in sync_rulesets' (#222) from feat/actions-bot-branch-protection into dev

feat(branch-protection): enable actions bot whitelist in sync_rulesets (#222)
2026-05-30 16:32:07 +00:00
parent 0a79a99256 3bccb43c83
commit fa77e4fa13
29 changed files with 58 additions and 51 deletions
@@ -5,7 +5,7 @@
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Automation
-# VERSION: 09.15.00
+# VERSION: 09.17.00
 # BRIEF: Auto-create feature branch when an issue is opened

 name: "Universal: Issue Branch"
@@ -12,12 +12,12 @@ BRIEF: Release changelog
 # Changelog
 ## [Unreleased]

+## [09.17.00] --- 2026-05-30
+
+## [09.16.00] --- 2026-05-30
+
 ## [09.15.00] --- 2026-05-30

 ## [09.14.00] --- 2026-05-30

 ## [09.13.00] --- 2026-05-30
-
-## [09.12.00] --- 2026-05-30
-
-## [09.11.00] --- 2026-05-30
@@ -6,7 +6,7 @@ DEFGROUP: MokoStandards.Root
 INGROUP: MokoStandards
 REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 PATH: /README.md
-VERSION: 09.15.00
+VERSION: 09.17.00
 BRIEF: Project overview and documentation
 -->

@@ -9,7 +9,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/branch_rename.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Rename a git branch via Gitea API (create new, update PR, delete old)
 *
 * Usage:
@@ -12,7 +12,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/bulk_workflow_push.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Push a workflow file to all governed repos via the Gitea Contents API
 */

@@ -11,7 +11,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/bulk_workflow_trigger.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Trigger a workflow across multiple repos at once
 */

@@ -12,7 +12,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/client_dashboard.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Generate unified client dashboard HTML
 */

@@ -11,7 +11,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/client_inventory.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Discover and list all client-waas repos with their server configuration status
 */

@@ -12,7 +12,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/client_provision.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Provision a new client environment end-to-end
 */

@@ -12,7 +12,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/grafana_dashboard.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Manage Grafana dashboards via API
 */

@@ -9,7 +9,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/joomla_build.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Build a Joomla extension ZIP from manifest — all types supported
 * NOTE: Called by pre-release and auto-release workflows.
 *
@@ -9,7 +9,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/manifest_read.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Parse .manifest.xml and output requested field(s) for CI consumption
 *
 * Usage:
@@ -9,7 +9,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/release_cascade.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: DEPRECATED — cascade behavior removed. Each release stream is independent.
 */

@@ -9,7 +9,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/release_publish.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Publish a release and create copies for all lesser stability streams.
 *
 * When a release is published at a given stability, copies are created for all
@@ -11,7 +11,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/scaffold_client.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Scaffold a new client-waas repo from Template-Client-WaaS with pre-configured settings
 */

@@ -56,34 +56,38 @@ $PROTECTIONS = [
 		'name'   => 'MAIN — protect default branch',
 		'branch' => 'main',
 		'rules'  => [
-			'required_reviews'  => 1,
-			'dismiss_stale'     => true,
-			'enforce_admins'    => true,
-			'block_on_rejected' => true,
+			'required_reviews'       => 1,
+			'dismiss_stale'          => true,
+			'enforce_admins'         => true,
+			'block_on_rejected'      => true,
+			'whitelist_actions_user' => true,
 		],
 	],
 	[
 		'name'   => 'VERSION — immutable snapshots',
 		'branch' => 'version/*',
 		'rules'  => [
-			'required_reviews' => 0,
-			'enforce_admins'   => true,
+			'required_reviews'       => 0,
+			'enforce_admins'         => true,
+			'whitelist_actions_user' => true,
 		],
 	],
 	[
 		'name'   => 'DEV — prevent branch deletion',
 		'branch' => 'dev/*',
 		'rules'  => [
-			'required_reviews' => 0,
-			'enforce_admins'   => true,
+			'required_reviews'       => 0,
+			'enforce_admins'         => true,
+			'whitelist_actions_user' => true,
 		],
 	],
 	[
 		'name'   => 'RC — prevent branch deletion',
 		'branch' => 'rc/*',
 		'rules'  => [
-			'required_reviews' => 0,
-			'enforce_admins'   => true,
+			'required_reviews'       => 0,
+			'enforce_admins'         => true,
+			'whitelist_actions_user' => true,
 		],
 	],
 ];
@@ -9,7 +9,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/updates_xml_sync.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Sync updates.xml to target branches via Gitea API
 * NOTE: Called by pre-release and auto-release workflows after updates.xml
 *       is modified on the current branch. Pushes the file to other branches
@@ -9,7 +9,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/version_auto_bump.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Auto patch-bump, set stability suffix, and commit — single CLI replacing inline workflow bash
 *
 * Usage:
@@ -9,7 +9,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/version_check.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Validate version consistency across README, manifests, and sub-packages
 *
 * Usage:
@@ -9,7 +9,7 @@
 * INGROUP: moko-platform
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/wiki_sync.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Sync select wiki pages from moko-platform to all template repos
 */

@@ -11,7 +11,7 @@
 * INGROUP: MokoStandards
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /deploy/backup-before-deploy.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Snapshot Joomla directories before deployment for rollback capability
 */

@@ -11,7 +11,7 @@
 * INGROUP: MokoStandards
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /deploy/deploy-dolibarr.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Deploy Dolibarr module files to a remote server via SFTP/rsync
 */

@@ -11,7 +11,7 @@
 * INGROUP: MokoStandards
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /deploy/health-check.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Post-deploy health check — verify a Joomla site is responding correctly
 */

@@ -11,7 +11,7 @@
 * INGROUP: MokoStandards
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /deploy/rollback-joomla.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Rollback a Joomla deployment by restoring from a pre-deploy snapshot
 */

@@ -11,7 +11,7 @@
 * INGROUP: MokoStandards
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /deploy/sync-joomla.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Sync Joomla site directories between two servers via rsync over SSH
 */

@@ -373,17 +373,20 @@ class MokoGiteaAdapter implements GitPlatformAdapter
    public function setBranchProtection(string $org, string $repo, string $branch, array $rules): array
    {
        // Gitea uses a flat branch protection API
+        $whitelistActions = $rules['whitelist_actions_user'] ?? false;
        $protection = [
-            'branch_name'                     => $branch,
-            'enable_push'                     => true,
-            'enable_push_whitelist'            => false,
-            'enable_merge_whitelist'           => false,
-            'enable_status_check'             => $rules['required_status_checks'] ?? false,
-            'enable_approvals_whitelist'       => false,
-            'required_approvals'              => $rules['required_reviews'] ?? 0,
-            'dismiss_stale_approvals'         => $rules['dismiss_stale'] ?? false,
-            'block_on_rejected_reviews'       => $rules['block_on_rejected'] ?? true,
-            'block_on_outdated_branch'        => $rules['block_on_outdated'] ?? false,
+            'branch_name'                       => $branch,
+            'enable_push'                       => true,
+            'enable_push_whitelist'              => $whitelistActions,
+            'push_whitelist_actions_user'        => $whitelistActions,
+            'enable_merge_whitelist'             => false,
+            'merge_whitelist_actions_user'       => $whitelistActions,
+            'enable_status_check'               => $rules['required_status_checks'] ?? false,
+            'enable_approvals_whitelist'         => false,
+            'required_approvals'                => $rules['required_reviews'] ?? 0,
+            'dismiss_stale_approvals'           => $rules['dismiss_stale'] ?? false,
+            'block_on_rejected_reviews'         => $rules['block_on_rejected'] ?? true,
+            'block_on_outdated_branch'          => $rules['block_on_outdated'] ?? false,
            'block_on_official_review_requests' => false,
        ];

@@ -63,7 +63,7 @@ class VersionBumpTest extends TestCase
    {
        file_put_contents(
            "{$this->tmpDir}/README.md",
-            "<!-- VERSION: 09.15.00 -->\nSome content\n"
+            "<!-- VERSION: 09.17.00 -->\nSome content\n"
        );

        $this->execute();
@@ -34,7 +34,7 @@ class VersionReadTest extends TestCase
    {
        file_put_contents(
            "{$this->tmpDir}/README.md",
-            "# Test\n<!-- VERSION: 09.15.00 -->\n"
+            "# Test\n<!-- VERSION: 09.17.00 -->\n"
        );

        $this->assertSame('02.03.04', trim($this->runScript()));
@@ -68,7 +68,7 @@ class VersionReadTest extends TestCase
    {
        file_put_contents(
            "{$this->tmpDir}/README.md",
-            "<!-- VERSION: 09.15.00 -->\n"
+            "<!-- VERSION: 09.17.00 -->\n"
        );
        mkdir("{$this->tmpDir}/src", 0755, true);
        file_put_contents(
@@ -12,7 +12,7 @@
 * INGROUP: MokoStandards
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /validate/check_file_integrity.php
- * VERSION: 09.15.00
+ * VERSION: 09.17.00
 * BRIEF: Compare deployed files on a remote server against the local repository to detect drift
 */